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Abstract. Standard algorithms for reachability analysis of timed au¬ 
tomata are sensitive to the order in which the transitions of the antomata 
are taken. To tackle this problem, we propose a ranking system and a 
waiting strategy. This paper discusses the reason why the search order 
matters and shows how a ranking system and a waiting strategy can be 
integrated into the standard reachability algorithm to alleviate and pre¬ 
vent the problem respectively. Experiments show that the combination of 
the two approaches gives optimal search order on standard benchmarks 
except for one example. This suggests that it should be used instead of 
the standard BFS algorithm for reachability analysis of timed automata. 


1 Introduction 

Reachability analysis for timed automata asks if there is an execution of an 
automaton reaching a given state. This analysis can be used to verify all kinds 
of safety properties of timed systems. The standard approach to reachability 
analysis of timed automata uses sets of clock valuations, called zones, to reduce 
the reachability problem in the infinite state space of a timed automaton to the 
reachability problem in a finite graph. We present two heuristics to improve the 
efficiency of the zone based reachability algorithm. 

The algorithm for reachability analysis of timed automata is a depth-first 
search, or a breadth-first search on a graph whose nodes are pairs consisting of a 
state of the automaton and a zone describing the set of possible clock valuations 
in this state. The use of zone inclusion is crucial for efficiency of this algorithm. 
It permits to stop exploration from a smaller zone if a bigger zone with the same 
state has been already explored. 

Due to the use of zone inclusion the algorithm is sometimes very sensitive 
to exploration order. Indeed, it may happen that a small zone is reached and 
explored first, but then it is removed when a bigger zone is reached later. We 
will refer to such a situation as a mistake. A mistake can often be avoided by 
taking a different exploration order that reaches the bigger zone first. 

In this paper we propose two heuristics to reduce the number of mistakes 
in the reachability analysis. In the example below we explain the mistake phe¬ 
nomenon in more details, and point out that it can cause an exponential blowup 
in the search space; this happens in the FDDI standard benchmark. The two 
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Fig. 1: A timed automaton and two exploration graphs of its state-space. On the 
left, the transition to is explored first, which results in exploring the subtree 
of ga twice. On the right, the transition to q 2 is explored first and subsumption 
stops the second exploration as is included in Zg. 


heuristics are quite different in nature, so we evaluate their performance on the 
standard examples. Based on these experimental results we propose a simple 
modification to the standard exploration algorithm that significantly improves 
the exploration order. 

We now give a concrete example showing why exploration order matters. 
Consider the timed automaton shown in Figure la, and assume we perform a 
depth-first search (DFS) exploration of its state space. The algorithm starts in 
(gi,Zi) where Zi = {y > 0 ) is the set of all clock values. Assume that the 
transition to ga is taken first as in Figure lb. The algorithm reaches the node 
(gg, Zg) with Zg = (y > 1) and explores its entire subtree. Then, the algorithm 
backtracks to (gi,Zi) and proceeds with the transition to g2 reaching (g2,Z2), 
and then (gg, Zg) with Z2 = Zg = (y > 0 ). It happens that Zg C Zgi the node 
(gsjZg) is bigger than the node (qsjZ^) which has been previously visited. At 
this point, the algorithm has to visit the entire subtree of (gg, Zg) since the clock 
valuations in Zg \ Zg have not been explored. The net result is that the earlier 
exploration from (gg, Zg) turns out to be useless since we need to explore from 
(ggjZg) anyway. If, by chance, our DFS exploration had taken different order 
of transitions, and first considered the one from gi to g 2 as in Figure Ic, the 
exploration would stop at (gg,Zg) since the bigger node {q 3 ,Z^) has already 
been visited and Zg C Zg. To sum up, in some cases DFS exploration is very 
sensible to the search order. 

Several authors [3,6] have observed that BFS exploration is often much more 
efficient than DFS for reachability testing in timed automata. This can be at¬ 
tributed to an empirical observation that often a zone obtained by a short path 
is bigger than the one obtained by a longer path. This is the opposite in our 
example from Figure la. In consequence, a BFS algorithm will also do unnec- 








3 


essary explorations. When {q^,Z'^) is visited, the node ((74,^4) is already in the 
queue. Hence, while the algorithm has a chance to realise that exploring ((73, Z3) 
is useless due to the bigger node (53, Z3), it will keep visiting (<74, Z4) and all the 
subtree of (<73, Z3). Indeed, in the standard BFS algorithm, there is no mechanism 
to remove ((74,^4) from the queue when ((73,^3) is reached. Again, considering 
the transition from qi to <72 before the transition to <73 as in Fignre Ic, avoids 
unnecessary exploration. Yet, by making the path (71 —> (72 —^ <73 one step longer 
we would obtain an example where all choices of search order would lead to 
unnecessary exploration. Overall, the standard reachability algorithm for timed 
automata, be it DFS or BFS, is sensitive to the alignment between the discovery 
of big nodes and the exploration of small nodes. 




Fig. 2 : Timed automaton with a racing situation. 


One could ask what can be the impact of a pattern from Figure la, and does 
it really occur. The blowup of the exploration space can be exponential. One 
example is presented in Figure 2 . It is obtained by iterating n times the pattern 
we have discussed above. The final state (7/ is not reachable. By a similar analy¬ 
sis we can show that both the BFS and DFS algorithms with wrong exploration 
order explore and store exponentially more nodes than needed. In the automa¬ 
ton there are 2 " different paths to q2n+i- The longest path <71, <72, (73,..., q2n+i 
generates the biggest zone, while there are about 2" different zones that can 
be generated by taking different paths. If the DFS takes the worst exploration 
order, all these zones will be generated. If it takes the wrong order half of the 
times, then about 2 "/^ zones will be generated. Similarly for BFS. 

In the experiments section we show that, this far from optimal behaviour 
of BFS and DFS exploration indeed happens in the FDDI model, a standard 
benchmark model for timed automata. 

In this paper we propose simple modihcations of the exploration strategy to 
counter the problem as presented in the above examples. We will first describe 
a ranking system that mitigates the problem by assigning ranks to states, and 
using ranks to chose the transitions to explore. It will be rather clear that this 
system addresses the problem from our examples. Then we will propose waiting 
strategy that starts from a different point of view and is simpler to implement. 
The experiments on standard benchmarks show that the two approaches are 
incomparable but they can be combined to give optimal results in most of the 
cases. Since this combination is easy to implement, we propose to use it instead 
of standard BFS for reachability checking. 
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Related work: The influence of the search order has been discussed in the lit¬ 
erature in the context of state-caching [ 7 , 11 - 13 ], and state-space fragmenta¬ 
tion [ 3 , 6 , 8 ]. State-caching focuses on limiting the number of stored nodes at the 
cost of exploring more nodes. We propose a strategy that improves the num¬ 
ber of visited nodes as well as the number of stored nodes. In [ 3 , 6 , 8 ], it is 
suggested that BFS is the best search order to avoid state-space fragmentation 
in distributed model checking. We have not yet experimented our approach for 
distributed state-space exploration. 

In terms of implementation, our approaches add a metric to states. In a 
different context a metric mechanism has been used by Behrmann et al. to guide 
the exploration in priced timed automata in [ 5 ]. 

Organisation of the paper: In the next section we present preliminaries for this 
paper: timed automata, the reachability problem and the standard reachability 
algorithm for timed automata. In Section 3 , we propose a ranking system to limit 
the impact of mistakes during exploration. Section 4 presents another strategy 
that aims at limiting the number of mistakes. Finally, Section 5 gives some 
experimental results on the standard benchmarks. 

2 Preliminaries 

We introduce preliminary notions about timed automata and the reachability 
problem. Then, we introduce the classical zone-based algorithm used to solve 
this problem. 

2.1 Timed Automata and the Reachability Problem 

Let X = {a;i,..., a;„} be a set of clocks, i.e. variables that range over the non¬ 
negative real numbers K>o. A elock eonstraint (j) is a. conjunction of constraints 
xffc for a; G A, ^ € {<, <, =, >, >} and c G N. Let ^{X) be the set of clock 
constraints over the set of clocks X. A valuation over A is a function w : A —>■ 
K.>o. We denote by 0 the valuation that maps each clock in A to 0 , and by 
the set of valuations over A. A valuation v satisfies a clock constraint </> G ??(A), 
denoted v \= f), when all the constraints in (j) hold after replacing every clock x 
by its value v{x). For S G M>0 7 we denote v + S the valuation that maps every 
clock x to v{x) + S. For R C X, i?[u] is the valuation that sets a; to 0 if a; G i?, 
and that sets x to v{x) otherwise. 

A timed automaton (TA) is a tuple A = (Q, qg, F, X, Act,T) where Q is a 
finite set of states with initial state qo & Q and accepting states F" C Q, A is a 
finite set of clocks. Act is a finite alphabet of actions, T C Qx<P{X) x 2 ^ xActxQ 
is a finite set of transitions (g, g, R, a, q') where g is a guard, R is the set of clocks 
that are reset and a is the action of the transition. 

The semantics of a TA A is given by a transition system whose states are 
configurations {q,v) G Qx K>o- The initial configuration is (qg, 0). We have delay 

transitions: (q, v) A- (q, v+S) for S G K>o, and action transitions: (q, v) A- (g', v') 
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if there exists a transition {q, g, R, a, q') € T such that v \= g and v' = A run 
is a finite sequence of transitions starting from the initial configuration (gojO)- 
A run is accepting is it ends in a configuration (q, v) with an accepting state 
qe F. 

The reachability problem consists in deciding if a given TA A has an accepting 
run. This problem is known to be PsPACE-complete [ 1 ]. 

2.2 Symbolic Semantics 

The reachability problem cannot be solved directly from A due to the uncount¬ 
able number of configurations. The standard solution is to use symbolic seman¬ 
tics of timed automata by grouping valuations together. A zone is a set of valua¬ 
tions described by a conjunction of two kinds of constraints: Xi^c and Xi —Xj^c 
where Xi, Xj € X, c € Z and # S {<, <, =, >, >}. 

The zone graph ZG(^) of a timed automaton A = {Q, qo, F, X, Act,T) is a 
transition system with nodes of the form {q, Z) where q € Q and Z is a zone. The 
initial node is (qg, Zq) where Zg = { 0-|-(5 | S € M>o}- The nodes (q, Z) with q £ F 
are accepting. There is a transition (q, Z) (q', Z') if there exists a transition 

{q, g, R, a, q') £ T such that Z' = {v' £ ]R>o \ 3 v £ Z 35 £ M>o {q, v) 

The relation => is well-dehned as it can be shown that if Z 
is a zone, then Z' is a zone. Zones can be efficiently represented by Difference 
Bound Matrices (DBMs) [ 10 ] and the successor Z' of a zone Z can be efficiently 
computed using this representation. 

The zone graph ZG{A) is still infinite [ 9 ], and an additional abstraction step is 
needed to obtain a hnite transition system. An abstraction operator is a function 
a : 'P(]R>g) —>■ ^(R^q) such that W C a{W) and a(a(lT)) = a{W) for every set 
W of valuations. An abstraction operator defines an abstract symbolic semantics. 
Similarly to the zone graph, we define the abstract zone graph ZG“(^). Its initial 
node is {qg,a{Zg)) and we have a transition {q, Z) =►„ {q',a{Z')) if a{Z) = Z 
and {q,Z) {q’,Z'). 

In order to solve the reachability problem for A from ZG“(A), the abstraction 
operator a should have the property that every run of A has a corresponding 
path in ZG“(A) (completeness) and conversely, every path in ZG“(A) should 
correspond to a run in A (soundness). Furthermore, ZG“(yl) should be finite. 
Several abstraction operators have been introduced in the literature [ 4 , 9 ]. The 
abstraction operator ExtraLu"*" [ 4 ] has all the required properties above. More¬ 
over, the ExtraLu^ abstraction of a zone is itself a zone. It can be computed 
from the DBM representation of the zone. This allows to compute the abstract 
zone graph efficiently using DBMs as a symbolic representation for zones. The 
ExtraLu"*" abstraction is used by most implementation including the state-of-the- 
art tool UPPAAL [ 2 ]. The theorem below reduces the reachability problem for 
A to the reachability problem in the finite graph (^). 

Theorem 1 ( [4]). There is an accepting run in A iff there exists a path in 
2QExtraLu from (qg, ExtraLu'''(^o)) to some state {q,Z) with q £ F. Further¬ 
more ZG^’'*'"^'-^ {A) is finite. 



Algorithm 1.1: Standard reachability algorithm for timed automaton A. 

function reachability_check(A) 

W := {((7o,ExtraLu + (^o))}; P := W // Invariant: lb C P 

while (lb ^ 0) do 

take and remove a node {q,Z) from lb 
if {q is accepting) 

retnrn Yes 
else 

for each {q, Z) {q', Z') 

if there is no {qB,ZB)€P s.t. {q', Z') C [qs, Zb) 
for each {qs,Zs)GP snch that (qs, Zs) ^ {q', Z') 
remove {qs,Zs) from lb and P 
add {q',Z') to lb and to P 

retnrn No 


2.3 Reachability algorithm 

Algorithm 1.1 is the standard reachability algorithm for timed automata. It 
explores the finite abstract zone graph (A) of an automaton A from 

the initial node until it finds an accepting node, or it has visited the entire state- 
space of (A). It maintains a set of waiting nodes W and a set of visited 

nodes P such that W C P. 

Algorithm 1.1 uses zone inclusion to stop exploration, and this is essential 
for its efficiency. We have {q, Z) C (g', Z') when q = q' and Z C Z'. Notice 
that zone inclusion is a simulation relation over nodes since zones are sets of 
valuations. Zone inclusion is first used in line 10 to stop the exploration in (q, Z) 
if there is a bigger node {qs, Zb) in P. It is also used in line 12 to only keep the 
maximal nodes w.r.t. C in P and lb. 

Algorithm 1.1 does not specify any exploration strategy. As we have stressed 
in the introduction, the search order greatly influences the number of nodes 
visited by the algorithm and stored in the sets lb and P. At first sight it may 
seem strange why there should be a big difference between, say, BFS and DFS 
search orders. The cause is the optimisation due to subsumption w.r.t. C in 
lines 10 and 12 . When equality on nodes is used instead of zone inclusion, every 
node is visited. Hence, BFS and DFS coincide in the sense that they will visit the 
same nodes, while not in the same order. The situation is very different with zone 
inclusion. Consider again the two nodes ((72,-^2) C ((72, .^2) Figure lb. Since 
the smaller node (<72,^2) is reached first, the entire subtrees of both nodes are 
visited whereas it would be sufficient to explore the subtree of the bigger node 
((72,^2) to solve the reachability problem. Indeed, every node below {q2,Z2) is 
simulated by the corresponding node below (<72, ^2)- Notice that the problem 
occurs both with a DFS and with a BFS strategy since the bigger node ((72, Z2) 
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is further from the root node than the smaller node {q2,Z2). When the bigger 
node is found before the smaller one, as in Figure Ic, only the subtree of the 
bigger node is visited. An optimal search strategy would guarantee that big 
nodes are visited before small ones. In the remaining of the paper we propose 
two heuristics to optimise the search order. 

3 Ranking system 

In this section we propose an exploration strategy to address the phenomenon we 
have presented in the introduction: we propose a solution to stop the exploration 
of the subtree of a small node when a bigger node is reached. As we have seen, 
the late discovery of big nodes causes unnecessary explorations of small nodes 
and their subtrees. In the worst case, the number of needlessly visited nodes may 
be exponential (cf. Figure 2 ). 

Our goal is to minimise the number of visited nodes as well as the number of 
stored nodes (i.e. the size of P in Algorithm I.l). Consider again the situation in 
Figure lb where {q3,Z3) C (<73,^3). When the big node {q3,Z^) is reached, we 
learn that exploring the small node (<73, Z3) is unnecessary. In such a situation. 
Algorithm 1.1 erases the small node {q^.Z^) (line 10 ), but all its descendants 
that are in the waiting list W will be still explored. 

A first and straightforward solution would be to erase the whole subtree of the 
small node (93,^3). Algorithm 1.1 would then proceed with the waiting nodes 
in the subtree of (53, Z'^). This approach is however too rudimentary. Indeed, it 
may happen that the two nodes (<74, Z4) and (<74, Z4) in Figure lb are identical. 
Then, erasing the whole subtree of (53, Z3) will lead to exploring (54, Z4) and all 
its subtree twice. We have observed on classical benchmarks (see Section 5 ) that 
identical nodes are frequently found. While this approach is correct, it would 
result in visiting more nodes than the classical algorithm. 

We propose a more subtle approach based on an interesting property of 
Algorithm 1 . 1 . Consider the two nodes (<74, Z4) and ((74, Z'^ in Figure lb again, 
and assume that (<74, Z4) is reached after (<74, Z4). If the two nodes are identical, 
then ((74,^4) is erased by Algorithm 1.1 in line 10 , but ((74,^4) is kept since it 
has been visited first. Conversely, if the two nodes are different, we still have 
((74,^4) C (<74,^4), then (<74,^4) is erased by Algorithm 1.1 in line 10 . Hence, 
as the algorithm explores the subtree of (<73,^3), it progressively erases all the 
nodes in the subtree of ((73, Z3) that are smaller than some node in the subtree 
of ((73, Z3). At the same time, it keeps the nodes that are identical to some node 
below (<73, Zg), hence avoiding several explorations of the same node. 

Now, it remains to make all this happen before the subtree of (<73, Z^) is de¬ 
veloped any further. This is achieved by giving a higher priority to (<73, Z^) than 
all the waiting nodes below (<73, Z3). This priority mechanism is implemented by 
assigning a rank to every node. 

Algorithm 1.2 below is a modified version of Algorithm 1.1 that implements 
the ranking of nodes (the modifications are highlighted). Nodes are initialised 
with rank 0 . The rank of a node {q', Z') is updated with respect to the ranks 
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of the nodes {qs,Zs) that are simulated by {q',Z') (line 15 ). For each node 
{qs, Zs), we compute the maximum rank r of the waiting nodes below {qs, Zs). 
Then, rank(g',Z') is set to max(rank(g', Z'), r + 1 ) giving priority to {q',Z') over 
the waiting nodes below {qs, Zs). 


Algorithm 1.2: Reachability algorithm with ranking of nodes for timed 
automaton A. The set P is stored as a tree 

function reachability.check (^ ) 

ly {(go,ExtraLu+(^o))}; P := W 
init_rank(go5 ExtraLu'^(-^o)) 

while {W 7 ^ 0) do 

take and remove a node {q, Z) with highest rank from W 
if {q is accepting) then 
return Yes 
else 

for each {q, Z) (q', Z') 

init_rank(g^, Z') 

if there is no {qs ■, Zb) ^ P s.t. {<J , Z') {qs, Zb) then 
for each {qs,Zs)GP s.t. (qs, Zs) Q [q', Z') 

if (qs,Zs) 0 IV then // implies not a leaf node in P 
rank(q',Z') := max(rank(q', Z'), 1 -|-max_rank_waiting(<3'5, Z5)) 
remove (<?s, Zs) from W and P 
add {q',Z') to W and to P 
return No 

function max_rank_waiting ( g, Z) 

if (q, Z) is in W then // implies leaf node in P 
return rar\k(q,Z) 
else 

r 0; 

for each edge (q, Z) (q , Z') in P 
r := max(r, max_rank_waiting(g^, 
return r 

function init_rank ( g, Z) 

if Z is the true, zone then 
rank(g, Z) 00 

else 

rank(g, Z) : — 0 


The function max_rank_waiting determines the maximal rank among waiting 
nodes below {qs,Zs). To that purpose, the set of visited nodes P is stored as a 
reachability tree. When a node {qs, Zs) is removed in line 16 , its parent node is 
connected to its child nodes to maintain reachability of waiting nodes. Observe 
that the node {q', Z') is added to the tree P in line 17 after its rank has been 
updated in line 15 . This is needed in the particular case where {qs,Zs) is an 
ancestor of node {q',Z') in line 15 . The rank of {q',Z') will be updated taking 
into account the waiting nodes below {qs,Zs). Obviously, {q', Z') should not be 
considered among those waiting nodes, which is guaranteed since {q',Z') does 
not belong to the tree yet. 

The intuition behind the use of ranks suggest one more useful heuristic. 
Ranks are used to give priority to exploration from some nodes over the others. 
Nodes with true zones are a special case in this context, since they can never 
be covered, and in consequence it is always better to explore them first. We 
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gorithm 1.2 on the automaton in ploring from t only after all paths 

Figure la. leading to t are explored. 


implement this observation by simply assigning the biggest possible rank (00) 
to such nodes (line 31 in the Algorithm). 

Let us explain how the Algorithm 1.2 works on an example. Consider again 
the automaton in Figure la. The final exploration graph is depicted in Figure 3 . 
When {qi,Zi) is visited, both {qs, Z^) and (<727^2) are put into the waiting list 
W with rank 0 . Recall that exploring {q^, Z3) first is the worst exploration order. 
This adds ((74,^4) to the waiting list with rank 0 . The exploration of ((72,^2) 
adds ((73,^3) to the waiting list. At this stage, the rank of (93,^3) is set to 1 
since it is bigger than (53, Z3) which is erased. The node ((73, Z^) has the highest 
priority among all waiting nodes and is explored next. This generates the node 
((74,^4) that is bigger than ((74,^4). Hence (94,^4) is erased, {q4,Z[) gets rank 
1 and the exploration proceeds from ((74, Z'^). One can see that, when a big node 
is reached, the algorithm not only stops the exploration of the smaller node 
but also of the nodes in its subtree. Figure 3 shows a clear improvement over 
Figure lb. 


4 Waiting strategy 

We present an exploration strategy that will aim at reducing the number of 
exploration mistakes: situations when a bigger node is discovered later than a 
smaller one. The ranking strategy from the previous section reduced the cost of 
a mistake by stopping the exploration from descendants of a small node when 
it found a bigger node. By contrast, the waiting strategy of this section will not 
develop a node if it is aware of some other parts of exploration that may lead to 
a bigger node. 

The waiting strategy is based on topological-like order on states of automata. 
We first present this strategy on a single automaton. Then we consider networks 
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of timed automata, and derive a topological-like ordering from orderings on the 
components. Before we start we explain what kind of phenomenon our strategy 
is capturing. 

To see what we aim at, consider the part of a timed automaton depicted in 
Figure 4 . There is a number of paths form state s to state t, not necessary of 
the same length. Suppose the search strategy from (s, Z) has reached (t, Zi) by 
following the path through vi. At this point it is reasonable to delay exploration 
from {t, Zi) until all explorations of paths through V2, ■ ■ ■ ,Vk finish. This is be¬ 
cause some of these explorations may result in a bigger zone than Zi, and in 
consequence make an exploration from {t, Zi) redundant. 

The effect of such a waiting heuristic is clearly visible on our example from 
Figure 2 . The automaton consists of segments: from qi to q^, from q^ to q^, etc. 
Every segment is a very simple instance of the situation from Figure 4 that we 
have discussed in the last paragraph. There are two paths that lead from state 
qi to state <73. These two paths have different lengths, so with a BFS exploration 
one of the paths will reach q^ faster than the other. The longest path (that one 
going through (72) gives the biggest zone in (73; but BFS will no be able to use 
this information; and in consequence it will generate exponentially many nodes 
on this example. The waiting heuristic will collect all the search paths at states 
(73, <75,... and will explore only the best ones, so its search space will be linear. 

We propose to implement these ideas via a simple modification of the stan¬ 
dard algorithm. The waiting strategy will be based on a partial order Qtopo of 
sates of A. We will think of it as a topological order of the graph of the automa¬ 
ton (after removing cycles in some way). This order is then used to determine 
the exploration order. 


Algorithm 1.3: Reachability algorithm with waiting strategy 

This algorithm is obtained from the standard Algorithm 1.1 by changing line 5 to 
take and remove {q, Z) minimal w. r . t . 'i^topo from W 

In the remaining of the section we will propose some simple ways of finding 
a suitable Qtopo order. 


4.1 Topological-like ordering for a timed automaton 

It is helpful to think of the order Etopo on states as some sort of topological 
ordering, but we cannot really assume this since the graphs of our automata 
may have loops. Given a timed automaton A, we find a linear order on the 
states of A in two steps: 

1. we find a maximal subset of transitions of A that gives a graph Ad AG 
without cycles; 

2. then we compute a topological ordering of this graph. 

Given an automaton A, the graph Adag can be computed by running a 
depth-first search (DFS) from the initial state of A. While traversing A, we only 
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consider the transitions that point downwards or sideways; in other words we 
ignore all the transitions that lead to a state that is on the current search stack. 
At the end of the search, when all the states have been visited, the transitions 
that have not been ignored form a graph Adag- 

As an example, consider the timed automaton A in Figure la. The transition 
from 54 to 51 is ignored when computing Adag starting from qi. A topological- 
like ordering is computed from the resulting graph: qi Qtopo <?2 Qtopo 93 Etopo 94- 
Let us see how Etopo helps Algorithm 1.1 to explore bigger nodes first. Starting 
from node (91, true), Algorithm 1.1 adds (92, true) and (93, y > 1 ) to the waiting 
list. Since 92 Etopo 93, the algorithm then explores node (92, true), hence adding 
node (93, true) to the waiting list. The small node (93,1/ > 1 ) is then automati¬ 
cally erased, and the exploration proceeds from the big node (93, true). Observe 
that the exploration of the node (93,2/ > 1) is postponed until the second path 
reaches 93. Upon this stage, the zone inclusion relation will help to stop all ex¬ 
plorations of smaller nodes; in our case it is (93,2/ > 1 ). Thus, the algorithm 
performs optimally on this example, no exploration step can be avoided. 

4.2 Topological-like ordering for networks of timed automata 

Real-time systems often consist of several components that interact with each 
other. In order to apply the same approach we need to find an ordering on a 
set of global states of the system. For this we will find an ordering for each 
component and then extend it to the whole system without calculating the set 
of global states. 

We suppose that each component of a system is modelled by a timed au¬ 
tomaton Ai = {Qi,qoi,Fi,Xi,Acti,Ti). The system is modelled as the prod¬ 
uct A — {Q,qo,F,X,Act,T) of the components {Ai)i<i<k- The states of A 
are the tuples of states oi Ai,... ,Ak'- Q = Qi x ••• x Qk with initial state 
9o = (901, • • •, 90fc) and final states F = Fi x ■ ■ ■ x Fk. Clocks and actions are 
shared among the processes: X = Ui<i<fc and Act = Inter¬ 

actions are modelled by the synchronisation of processes over the same action. 
There is a transition ((91,..., 9„), 9, i?, a, (94,..., q'„)) € T if 

— either, there are two processes i and j with transitions {qt, gi, Ri,a,q)) G Ti 
and {qj , gj , Rj , a, 9') G Tj such that g = gi A gj and R = RiU Rj, and q'l = qi 
for every process I ^ i,j (synchronised action) 

— or there is a process i with transition {qi,g, R, a, 9') G Ti such that for every 
process I ^ i, a ^ Acti and q[ = qi (local action). 

The product above allows synchronisation of 2 processes at a time. Our work 
does not rely on a specific synchronisation policy, hence other models of interac¬ 
tions (broadcast communications, n-ary synchronisation, etc.) could be consid¬ 
ered as well. Notice that the product automaton A is, in general, exponentially 
bigger than each component Ai. 

The semantics of a network of timed automata (Ai)i<i<k is defined as the se¬ 
mantics of the corresponding product automaton A. As a result, the reachability 
problem for {Ai)i<i<k reduces to the reachability problem in A. 



12 


In order to apply the same approach as above, an ordering must be defined 
on the states of A which are tuples g = (qi,... ,qk) of states of the component 
automata Ai. It would not be reasonable to compute the product automaton A 
as its size grows exponentially with the number of its components. We propose an 
alternative solution that consists in computing a topological-like ordering 
for each component Ai. To that purpose, we can apply the algorithm introduced 
in the previous section. Then, the ordering of tuples of states is defined pointwise: 

Definition 1 (Joint ordering). For q, q' € Qi x ■ ■ ■ x Qk, we have q Etopo q' 
if Qi ELpo for aUl<i<k. 

Thus for networks of timed automata we consider the joint ordering in our 
waiting strategy. 

5 Experimental evaluation 

We present and comment the experimental results that we have performed. The 
results indicate that a mix of a ranking and waiting strategies avoids mistakes 
in most the examples. 

We have evaluated the ranking system (Section 3 ) and the waiting strat¬ 
egy (Section 4 ) on classical benchmarks from the literature^: Critical Re¬ 
gion (CR), Csma/Cd (C), Fddi (FD), Fischer (Fi), Flexray (Fl-PL) 
and Lynch (L), and on the BlowUp (B) example in Figure 2 . These automata 
have no reachable accepting state, hence forcing algorithms to visit the entire 
state-space of the automata to prove unreachability. 

Our objective is to avoid mistakes during exploration of the state-space of 
timed automata. At the end of the run of the algorithm, the set of visited nodes 
P forms an invariant showing that accepting nodes are unreachable. Every node 
that is visited by the algorithm and that does not belong to P at the end of the 
run is useless to prove unreachability. This happens when the algorithm does 
a mistake: it first visits a small node before reaching a bigger node later. We 
aim at finding a search order that visits bigger nodes first, hence doing as few 
mistakes as possible. Notice that it is not always possible to completely avoid 
mistakes since the only paths to a big node may have to visit a small node first. 

We compare three algorithms in Table 1: BPS the standard breadth-first 
search algorithm^ (i.e. Algorithm 1.1), R-BFS which implements a breadth-first 
search with priority to the highest ranked nodes (i.e. Algorithm 1.2) and TW- 
BFS which combines giving highest priority to true-zone nodes and the waiting 
strategy. We report on the number of visited nodes, the number of mistakes, the 
maximum number of stored nodes, and the final number of stored nodes. We also 
mention in column “visited ranking” the number of nodes that are re-visited to 
update the rank of the nodes by algorithm R-BFS (line 15 in Algorithm 1.2). 
The number of visited nodes gives a good estimate of the running time of the 

^ The models are available from http://www.labri.fr/perso/herbrete/tchecker. 

^ Algorithm 1.1 is essentially the algorithm that is implemented in UPPAAL [2]. 
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algorithm, while the maximal number of stored nodes gives a precise indication 
of the memory used for the set P. 

The ranking system gives very good results on all models except Csma/Cd. It 
makes no mistakes on Fischer and Lynch. This is due to the highest priority 
given to true-zone nodes. Indeed, column “visited ranking” shows that ranks 
are never updated, hence the nodes keep their initial rank. It also performs 
impressively well on BlowUp, Fddi and Flexray, gaining several orders of 
magnitude in the number of mistakes. However, it makes more mistakes than 
BFS on Csma/Cd. Indeed, the ranking system is efficient when big nodes are 
reached quickly, as the example in Figure 3 shows. When the big node {qz,Z'^) 
is reached, the ranking system stops the exploration of the subtree of the small 
node at (174,^4). However, making the path 91 (72 —t 93 longer in 

the automaton in Figure la leads to explore a bigger part of the subtree of 
((73, Z3). If this path is long enough, the entire subtree of (93, Z3) may be visited 
before (93, Z^) is reached. The ranking system does not provide any help in this 
situation. This bad scenario occurs in the Csma/Cd example. 

We have experimented the waiting strategy separately (not reported in Ta¬ 
ble I). While the results are good on some models (BlowUp, Fddi, Csma/Cd), 
the waiting strategy makes a lot more mistakes than the standard BFS on Lynch 
and Flexray. Indeed, the waiting strategy is sensitive to the topological order¬ 
ing. Consider the automaton in Figure la with an extra transition (73 q^. 

The loop on (72 and 93 may lead to different topological orderings, for instance 
9i E=io4?o 92 !=iopo 93 <74 and 91 ^topo 93 ^topo 92 [=iopo 94- These two 

choices lead to very different behaviours of the algorithm. Once the initial node 
has been explored, the two nodes (93,77 > 1) and (92,true) are in the waiting 
queue. With the first ordering, {q2,true) is selected hrst and generates {qz,true) 
that cuts the exploration of the smaller node (93,77 > 1 ). However, with the sec¬ 
ond ordering (gs, 7/ > 1 ) is visited first. As a result, (93, true) is reached too late, 
and the entire subtree of {q3,y > 1 ) is explored unnecessarily. We have investi¬ 
gated the robustness of the waiting strategy w.r.t. random topological orderings 
for the models in Table 1 . The experiments conhrm that the waiting strategy is 
sensitive to topological ordering. For most models, the best results are achieved 
using the topological ordering that comes from running a DFS on the automaton 
as suggested in Section 4 . 1 . 

The two heuristics perform well on different models. This suggests to com¬ 
bine their strengths. Consider again the automaton in Figure la with an extra 
transition q^ g2- As explained above, due to the cycle on 52 and 93, sev¬ 
eral topological orderings are possible for the waiting strategy. The choice of 
9i Etopo 93 Etopo 92 Etopo 94 leads to a bad situation where (93,77 > 1 ) is taken 
first when the two nodes (93,77 > 1 ) and (92, true) are in the waiting queue. As a 
result, the node (93,77 > 1) is visited without waiting the bigger node (93, true). 
In such a situation, combining ranking and the waiting strategies helps. In¬ 
deed, after (93,77 > 1) has been explored, the waiting queue contains two nodes 
(92, true) and (94,1 < 77 < 5 ). Since 92 Etopo 94, the algorithm picks (92, true), 
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hence generating (q^jtrue). As a true-zone node, {q3,true) immediately gets a 
higher rank than every waiting node. Exploring (q^jtrue) generates (<74, j/ < 5 ) 
that cuts the exploration from the small node (54 ,1 < y < 5 ). 

We have tried several combinations of the two heuristics. The best one con¬ 
sists in using the waiting strategy with priority to true zones. More precisely, 
the resulting algorithm TW-BFS selects a waiting node as follows: 

— True-zone nodes are taken in priority, 

— If there is no true-zone node, the nodes are taken according to the waiting 

strategy, and in BFS order. 

As Table 1 shows, TW-BFS makes no mistake on all models but three. Crit¬ 
ical Region has unavoidable mistakes: big nodes that can only be reached 
after visiting a smaller node. The topological ordering used for Fddi is not opti¬ 
mal. Indeed, there exists an optimal topological search order for which TW-BFS 
makes no mistake, but it is not the one obtained by the algorithm presented 
in Section 4.1. Finally, the algorithm makes a lot of mistakes on Flexray, but 
the memory usage is almost optimal: the mistakes are quickly eliminated. This 
example is the only one where applying the ranking heuristic clearly outperforms 
TW-BFS. 

We have also evaluated TW-BFS using randomised versions of the models in 
Table 1 . Randomisation consists in taking the transitions in a non-fixed order, 
hence increasing the possibility of racing situations like in Figure 1 . The experi¬ 
ments show that the strategies are robust to such randomisation, and the results 
on random instances are very close to the ones reported in the table. 

The ranking strategy R-BFS requires to keep a tree structure over the passed 
nodes. Using the classical left child-right sibling encoding, the tree can be repre¬ 
sented with only two pointers per node. This tree is explored when the rank of a 
node is updated (line 15 in Algorithm 1 . 2 ). Column “visited ranking” in Table 1 
shows that these explorations do not inflict any significant overhead in terms of 
explored nodes, except for Csma/Cd and Critical Region for which it has 
been noticed above that algorithm R-BFS does not perform well. Furthermore, 
exploring the tree is inexpensive since the visited nodes, in particular the zones, 
have already been computed. Both the ranking strategy and the waiting strategy 
require to sort the list of waiting nodes. Our prototype implementation based on 
insertion sort is slow. However, preliminary experiments show that implementing 
the list of waiting nodes as a heap turns out to be very efficient. 

To summarise we can consider our hndings from a practical point of view of 
an implementation. The simplest to implement strategy would be to give priority 
to true zones. This would already give some improvements, but for example for 
Fddi there would be no improvement since there are no true zones. R-BFS gives 
very good results on Flexray model its implementation is more complex than 
TW-BFS strategy is relatively easy to implement and has very good performance 
on all but one model, where it is comparable to standard BFS. This suggests that 
TW-BFS could be used as a replacement for BFS. 
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B-5 

63 

52 

11 

22 

16 

5 

11 

11 

13 

11 

0 

11 

11 

B-10 

1254 

1233 

21 

250 

31 

10 

21 

21 

28 

21 

0 

21 

21 

B-15 

37091 

37060 

31 

6125 

46 

15 

31 

31 

43 

31 

0 

31 

31 

FD-8 

2635 

2294 

341 

439 

437 

96 

341 

341 

579 

349 

8 

341 

341 

FD-10 

10219 

9694 

525 

999 

684 

159 

525 

525 

1168 

535 

10 

525 

525 

FD-15 

320068 

318908 

1160 

18707 

1586 

426 

1160 

1160 

4543 

1175 

15 

1160 

1160 

C-10 

39698 

5404 

34294 

48286 

59371 

25077 

34294 

52210 

54319 

34294 

0 

34294 

34302 

C-11 

98118 

17233 

80885 

124220 

153042 

72157 

80885 

130557 

160822 

80885 

0 

80885 

80894 

C-12 

239128 

50724 

188404 

311879 

378493 

190089 

188404 

320181 

430125 

188404 

0 

188404 

188414 

Fi-7 

11951 

4214 

7737 

7738 

7737 

0 

7737 

7737 

0 

7737 

0 

7737 

7737 

Fi-8 

40536 

15456 

25080 

25082 

25080 

0 

25080 

25080 

0 

25080 

0 

25080 

25080 

Fi-9 

135485 

54450 

81035 

81038 

81035 

0 

81035 

81035 

0 

81035 

0 

81035 

81035 

L-8 

45656 

15456 

30200 

30202 

30200 

0 

30200 

30200 

0 

30200 

0 

30200 

30200 

L-9 

147005 

54450 

92555 

92558 

92555 

0 

92555 

92555 

0 

92555 

0 

92555 

92555 

L-10 

473198 

186600 

286598 

286602 

286598 

0 

286598 

286598 

0 

286598 

0 

286598 

286598 

CR-3 

1670 

447 

1223 

1223 

1532 

309 

1223 

1223 

1837 

1563 

340 

1223 

1223 

CR-4 

21180 

7440 

13740 

13740 

17694 

3954 

13740 

13740 

24295 

19489 

5749 

13740 

13740 

CR-5 

285094 

113727 

171367 

171367 

216957 

45590 

171367 

171367 

307010 

257137 

85770 

171367 

171367 

Fl-PL 

881214 

228265 

652949 

652949 

655653 

2704 

652949 

652949 

6977 

12660557 

11997402 

663155 

684467 


Table 1: Experimental results: BFS corresponds to Algorithm 1.1 with a BFS 


order on the waiting nodes, R-BFS implements the ranking system on top of 
the BFS algorithm (i.e. Algorithm 1 . 2 ), and TW-BFS implements the waiting 
strategy with a priority to true-zone nodes. 


6 Conclusion 

We have analysed the phenomenon of mistakes in the zone based reachability 
algorithm for timed automata. This situation occurs when the exploration algo¬ 
rithm visits a node that is later removed due to a discovery of a bigger node. 
It is well known that DFS exploration may suffer from an important number of 
mistakes. We have exhibited examples where BFS makes an important number 
of mistakes that can be avoided. 

To limit the number of mistakes in exploration we have proposed two heuris¬ 
tics: ranking system and the waiting strategy. The experiments on standard mod¬ 
els show that, compared with the standard BFS reachability algorithm the strate¬ 
gies using our heuristics give not only a smaller number of visited nodes, but 
also a smaller number of stored nodes. Actually, on most examples our strate¬ 
gies are optimal as they do not make any mistakes. In addition, the experiments 
indicate that the TW-BFS strategy works often as good as the combination of 
both waiting and ranking strategies, while its implementation is much simpler. 
Therefore, we suggest to use the TW-BFS algorithm instead of standard BFS for 
reachability checking. 
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